Presentation is loading. Please wait.

Presentation is loading. Please wait.

TCP Security Vulnerabilities Phil Cayton CSE 581 2002.

Published byLynne Hamilton Modified over 8 years ago

Similar presentations

Presentation on theme: "TCP Security Vulnerabilities Phil Cayton CSE 581 2002."— Presentation transcript:

1 TCP Security Vulnerabilities Phil Cayton CSE 581 2002

2 Papers Reviewed 1.C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, "Analysis of a Denial of Service Attack on TCP" 2.S. Bellovin, "Security Problems in the TCP/IP Protocol Suite" 3.S. Bellovin, "Defending against sequence number attacks" 4.S. Bellovin, "Packets Found on an Internet" 5.R. Morris, "A Weakness in the 4.2BSD Unix TCP/IP Software"

3 Topics SYN Flooding Sequence Number Prediction Source Routing Attacks Routing Information Protocol Attacks Internet Control Message Protocol Attacks Comprehensive Defenses

4 SYN Flooding –Attacker sends many connection requests w/ spoofed source addresses to victim –Victim allocates resources for each request Finite # half-open connection requests supported Connection requests exist for TIMEOUT period –Once resources exhausted, all other requests rejected Normal connection est.Syn Flooding attack

5 SYN Flooding Defenses –System Configuration Improvements Reduce timeout period Increase length of backlog queue to support more connections Disable non-essential services to make a smaller target –Router Configuration Improvements Configure router external interfaces to block packets with source addresses from internal network Configure router internal interfaces to block packets to outside that have source addresses from outside the internal network –Cryptographically sign IP source addresses of all packets Does not prevent SYN Floods Allows for tracing of flood attack back to source Possible deterrent?

6 SYN Flooding Defenses Firewall as a Relay –Firewall answers on behalf of Destination –Once connection established, firewall predicts seq # and establishes 2 nd connection to Destination –Disadvantage: Adds delay for every packet

7 SYN Flooding Defenses Firewall as a Semi-transparent Gateway –Forges the 3 rd handshake (ack) from the client to the destination –This moves connection out of backlog queue, freeing resources –If this is attack, no “real” ack will happen Destination will send RST packet terminating connection –If this is actual connection request the eventual ack will be ignored as a duplicate –Disadvantages: Large # illegitimate open connections if system under attack Must very carefully choose timeout periods

8 SYN Flooding Defenses Attack w/ semi- transparent gateway Legit connection w/ semi- transparent gateway

9 SYN Flooding Defenses Active Monitor –Program that promiscuously monitors and injects network traffic to/from machines it is protecting –Monitors net for SYN packets not acknowledged after a certain period of time –If it detects problems with a half-open connection it can Send RST packets to the sender to release destination resources Complete the TCP connections by sending the ACK message –Similar to Semi-Transparent gateways

10 Sequence Number Prediction Normal connection establishment C  S:SYN(ISN C ) S  C:SYN(ISN S ),ACK(ISN C ) C  S:ACK(ISN S ) C  S:data and / or S  C:data

11 Sequence Number Prediction Attack –Predict the correct sequence number the destination machine will use Not impossible – initiate legitimate connection and then extrapolate next sequence from known granularity & rate of change –Spoof dest. machine X  S:SYN(ISN X ),SRC  T S  T:SYN(ISN S ),ACK(ISN X ) X  S:ACK(ISN S ),SRC  T X  S:ACK(ISN S ),SRC  T,nasty  data

12 Sequence Number Prediction What about the ACK back to the fake source machine? –Bring it down –SYN Flood it until it throws away packets and will ignore the ACK

13 Sequence Number Prediction Defenses –Randomize the ISN increment –ISN determined by cryptographic hash function on some secret data –Only trust hosts on the same physical net Train gateways to reject packets that claim, but do not, come from directly connected networks

14 Source Routing Attacks Attack –If destination hosts use reverse of source route provided in TCP open request to return traffic Fake the source address of a packet Pretend to be a trusted machine on the net Defenses –Train gateways to reject external packets that claim to be from the local net Can backfire if Trusted net  backbone  trusted net –Reject pre-authorized connections if source routing info present –Only accept if only trusted gateways listed in source routing info

15 Routing Information Protocol (RIP) Attacks Attack –Intruder sends bogus routing information to a target and each of the gateways along the route Impersonates an unused host –Diverts traffic for that host to the intruder’s machine Impersonates a used host –All traffic to that host routed to the intruder’s machine –Intruder inspects packets & resends to host w/ source routing –Allows capturing of unencrypted passwords, data, etc

16 Routing Information Protocol (RIP) Attacks Defenses –Paranoid gateway Filters packets based on source and/or destination addresses –Don’t accept new routes to local networks Messes with fault-tolerance but detects intrusion attempts –Authenticate RIP packets Difficult in a broadcast protocol Only allows for authentication of prior sender and doesn’t address information from a deceived gateway upstream

17 Internet Control Message Protocol (ICMP) Attacks Attack –Targeted Denial of Service (DoS) Attacker sends ICMP Redirect message to give a bogus route Attacker sends Destination Unreachable or TTL exceeded messages to reset existing connections Attacker sends fraudulent Subnet Mask Reply messages –Blocks communication with target Defenses –Verify ICMP packet contains a plausible sequence # –Dont modify Global Route Table due to ICMP Redirect messages –Disallow ICMP Redirects? –Check to see if multiple ICMPs from a host agree

18 Comprehensive Defenses Authentication –Preauthorize connections using session keys DNS provides structure/redundancy to support this Must use encrypted key distribution request/response Encryption –Link-level Encryption Encrypt each packet as it leaves the host Doesn’t work well for broadcast packets Not end-to end, so must have trusted gateways –Multi-point Link Encryption Physical device. Interfaces w/ Key distribution Center for keys –Application Level End-to-End Encryption Lots of overhead, many more correspondent pairs at this level

19 Comprehensive Defenses Trusted Systems –Reject all source-address authenticated packets –Turn off netstat/finger services –Encode TCP IP Security headers with the processes security level –Only allow connection requests to succeed if at appropriate security level –Only allow packet transfers over links at or above security level –Does not prevent captured traces used against targets –Does not protect against RIP spoofing

20 Summary Turn off non-essential services that give away information –Finger, Netstat, etc Increase memory of machines & length of backlog queue Use an Active Monitor to try and minimize damage Randomize sequence # increment and/or cryptographically determine ISN

21 Discussion ?

Download ppt "TCP Security Vulnerabilities Phil Cayton CSE 581 2002."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.

TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS 265 - Security Engineering Spring 2003 San Jose State University.

IP Spoofing, CS2651 IP Spoofing Bao Ho ToanTai Vu CS Security Engineering Spring 2003 San Jose State University.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google